Fog Creek Software
Discussion Board




Easy way to infect IIS server

Regarding the threads below on Dennis Forbes' new IIS hole, nobody seems to have picked up on the line of attack suggested by the descriptions on the linked pages, namely:

1) Web site administrator browses with IE
2) Web admin gets infected by malicious code on some trusted web site though an unpatched hole in IE
3) Web admin later connects to own IIS server to upload valid changes using authenticated connection
4) Malicious code infecting web admin's workstation piggy-backs on authenticated link to place malicious code on otherwise trusted and secure IIS server
5) The cycle continues

Any thoughts?

Ian
Monday, June 28, 2004

IIS blows.  IE blows.  You know it, I know it, the whole world knows it.

I am forced to use IIS, but dammit, no one has to use IE.

Sassy
Monday, June 28, 2004

My unpatched, wide open NT 4 machine caught Nimda back in Sept. 2001 by this very sequence of actions.

Gawd, I felt like an idiot. I learned.

Bored Bystander
Monday, June 28, 2004

>>"but dammit, no one has to use IE."

Exactly.  Any sys-admin who uses IE for web browsing needs to become unemployed very quickly.

Made Up Name
Monday, June 28, 2004

windows server 2003 pretty much disables it.

unfortunately, this means when you click on an event in the event viewer, and it tries to get more info from microsoft, you get a 'you can't look at this page' error.

mb
Monday, June 28, 2004


"Exactly.  Any sys-admin who uses IE for web browsing needs to become unemployed very quickly."

Browsing the web on a server is a definite no-no, but are you honestly suggesting that any sys admin who uses IE on his own machine lose his job?

..and we wonder why the rest of the world views techies as opinionated blowhards.

Good Grief
Monday, June 28, 2004

If I understand MS (and common) usage of kerberos, browsing on any maching inside the domain with admin privs exposes the account.  Regardless of machine.

hoser
Monday, June 28, 2004

"Browsing the web on a server is a definite no-no, but are you honestly suggesting that any sys admin who uses IE on his own machine lose his job?"

Which of course is why it is a part of the operating system in ever recent MS OS.  Nice deal.  Has the inclusion IE and Windows Media player enhanced Windows 2003 security in any way.  FUUUUUUUU<k no!

Don
Monday, June 28, 2004

"...Any sys-admin who uses IE for web browsing needs to become unemployed very quickly..."

Sure. If he is ignorrant enough to not know how to configure IE and OE for safe use.

Som
Tuesday, June 29, 2004

"Sure. If he is ignorrant enough to not know how to configure IE and OE for safe use."

And we all know there are no zero day exploits that could ever affect the fine IE and OE winning combination.  Configuring these for safe use is like configuring a pistol for Russian Roulette.

Spid
Tuesday, June 29, 2004

Not to mention that IE on Server 2003 is in lockdown mode by default - nothing works, outside of good ol' HTML.

Greg Hurlman
Tuesday, June 29, 2004

"Exactly.  Any sys-admin who uses IE for web browsing needs to become unemployed very quickly."

So a web site maintainer should not use IE to test the web site they maintain, even though many people accessing the web site will be using IE?

Also, the comments about not using IE on the IIS host are slightly misplaced. The scenario I describe relates to a web maintainer using IE on their own personal workstation, and later infecting the server over a secure, authenticated workstation-server connection.

Ian
Tuesday, June 29, 2004


This exchange must happen daily at some of your offices:

Admin: "Sorry, I can't duplicate the problem you're having with the web page."

User: "But it's happening to everyone else, too!!"

Admin: "Are you using IE?"

User: "Uh..Yeah, that's the company standard."

Admin: "Oh, that's the problem. My boss, Dingle Dong, won't let me use IE. He doesn't know how to configure it. I'm using Opera."

User: "So how are we supposed to entere all the budget data?"

Admin: "I don't know. But rest assured that if it ever gets entered, it will be safe and secure from IE exploits. Have a nice day!"

User: "Fucking idiotic admins. They live in their own fucking world."

Richard Dyer
Tuesday, June 29, 2004

User: "Fucking idiotic admins. They live in their own fucking world."

Admin:  "Fine, don't come whining to me when the network crawls because you got wormed."

Spid
Tuesday, June 29, 2004


Admin:  "Fine, don't come whining to me when the network crawls because you got wormed."

User: "And don't go whining about management when the company stock tanks because we aren't able to do our jobs because the stupid IT staff knows less about serving business needs than my 8 year old running a lemonade stand!"

Richard Dyer
Tuesday, June 29, 2004


It has been my experience as a sysadmin that the user always knows best.  Witness clicking on bigjuggs.jpg.pif

Don
Tuesday, June 29, 2004

*  Recent Topics

*  Fog Creek Home